# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

# These exclusions remedy false positives in a default cPanel environment.
# The exclusions are only active if crs_exclusions_cpanel=1 is set.
# See rule 900130 in crs-setup.conf.example for instructions.


SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
    "id:9005000,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ver:'OWASP_CRS/3.3.5',\
    skipAfter:END-CPANEL"

SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
    "id:9005001,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ver:'OWASP_CRS/3.3.5',\
    skipAfter:END-CPANEL"


#
# [ cPanel whm-server-status ]
#
# Cpanel's WHM auto generates requests to /whm-server-status from
# 127.0.0.1 (triggers rule 920280, non-blocking, log only) Once every 5 minutes.
# These false positives have a low impact (logged, non-blocking) to a large number of users (all cPanel admins).
#

#
# Rule to allow cPanel whm-server-status requests from localhost without log entry.
#
SecRule REQUEST_LINE "@rx ^GET /whm-server-status(?:/|/\?auto)? HTTP/[12]\.[01]$" \
    "id:9005100,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-apache',\
    tag:'attack-generic',\
    ver:'OWASP_CRS/3.3.5',\
    chain"
    SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
        "t:none,\
        ctl:ruleRemoveById=920280,\
        ctl:ruleRemoveById=920350"


SecMarker "END-CPANEL"